New MFA Requirements for Partners
We are a CSP Partner and have recieved the notice regarding the new MFA requirements. The requirements state the following:
All users in partner tenants must use Multi-Factor Authentication (MFA) when signing into Microsoft commercial cloud services or to transact in CSP through Partner Center or via APIs.
If I read this correctly the requirement is for "Partner Tenants" meaning all the tenants of our partner account. Is this correct? If so, does this mean we need to force MFA for all users of Office 365 at all of our customers (tenants)? This seems like a very large change to push down in just a little over a month.
We are a CSP partner and we have AAD Premium P1. We have created our own MFA policy. It has been applied to a group not all users.
Question1: Are we going to meet this requirement by using our own MFA policy not the baseline policies?
Question2: We have an office location exclusion in our policy, so when users login from our office it does not require MFA. Is this OK with the new security requirements?
Reg. 1 - you can use your own MFA setup and you do not need to use the baseline policies. You just need to make sure that all users in the tenant are authenticated via MFA. You can create your own conditional access rules and use user groups for the assignment, but you need to make your different rules enforce MFA for all users and not only those of a certain group.
Reg. 2 - No, a exception for trusted locations/IPs does not fulfill the requirements.
Partner tenant = the tenant you use as Partner for CSP business. This does not apply to end customer tenants you are managing (Those tenants might be created by you initially, but actually this tenant is owned by the customer).
The above statement is not correct, if you use Partner Center API to create customer tenants. As of this date, when you do that, the customer tenant has Security Defaults turned on by default, and *all* users within the tenant are required to use MFA to log into office.com. When I manually turn Security Defaults off for the customer tenant, the users no longer are subject to MFA.
Besides the annoyance for end users, this has broken our integration, as we make many calls AOBO the customer tenant that have become subject to MFA, which is impossible to perform.
And I just tested the behavior for AOBO call to a customer tenant that has Security Defaults enabled - actually those are not blocked anyway when the Partner has gone through MFA before (so no additional MFA prompt will appear when accessing the customer with an user account that is admin agent).
Interestingly, if the Partner user is also added as guest in the customer tenant, Partner user will see a 2nd MFA prompt, so be sure not to add any of the admin agents to the customer tenant as guest.
Just want to piggyback on here with a related question.
I am having the hardest time trying to find out for sure if its all users in my tenant or its admins only that have to have MFA authenticated. Some of the documentation leads me to believe its all users, and then others lead me to believe its only admins.
For example, this quote from this page leads me to believe its only admins.
A partner has some users in their partner tenants who do not require access to Microsoft Online Services Portals to manage customer resources using Partner Delegated Administration Privileges. The partner is in the process of implementing MFA for the...
Answer: No. Since these user accounts are not using Partner Delegated Administration Privileges to manage customer resources, they will not be required to sign-in to customer tenant. They will not be affected by Azure AD requiring MFA verification du...
@jstarnes It is all users, including guests and service accounts.
The article you mentioned only talks about the ability to request a technical exception - and this is only applicable if a user account would be affected by the MFA enforcement.
So from contract perspective all users need to be enabled for MFA, technically it will only be enforced/checked for access to end customer tenants and Partner Center. At least this is how the enforcement will be implemented currently, maybe enforcement will be expanded for other scenarios in the future.
The FAQ mentions that it applies to all users several times: https://docs.microsoft.com/en-us/partner-center/partner-security-requirements-faq - and of course the MPA says the same.
Did you get an answer to this? We have implemented MFA for all our partner "normal" users but we have 100's of AAD Guest users since we have dozens of client project SharePoint sites that our client users have logged into. I am hesitant to enable MFA for the guest users.
@ford_sopris : MFA also needs to be enabled for guest (AzureAD Security Defaults will do that also).
- All enabled users including guest users
Hi, we're trying to implement this properly on to be complient.
We utilize 3rd-party Duo MFA and have the successfully implemented via conditional access policies but the Partner Centre doesn't trigger the Duo MFA. It only brings up the Azure MFA
How do I trigger that so we're compliant?
You might need to request for a technical exception in this situation: https://docs.microsoft.com/en-us/partner-center/partner-security-requirements-mandating-mfa#issue-6-partner-has-implemented-third-party-mfa-that-isnt-recognized-by-azure-ad
If you have ensured that all users do MFA you maybe are already compliant, but this is more like a technical problem to recognize MFA.
This is also noted as known issue here: https://docs.microsoft.com/en-us/partner-center/partner-security-compliance#are-you-using-third-party-mfa-solution
Yes, and statement above is still correct. Partner don't have to use Security Defaults, they can use other methods that ensure all their user accounts are protected with MFA.
It is also true that beginning Oct. 22 2019 new tenants may have AAD Security defaults turned on - regardless if you create them via the Portal or the Partner Center API.
And it still true that there is no requirement for end customers to leave the security defaults enabled, only Partners are required to use MFA, not ened customer (though also recommended for them).
We have alot of users implementing MFA to the admins accounts is fine but to implement it to all users is not great in one month.
But as i understand the text it means that all clients in the partner tenants I.E all of us here need to force MFA on all users accounts..